HOW TO: Use Group Policy to disable USB, CD-ROM, Floppy Disk, and LS-120 drivers

This article describes an ADM template that allows an Administrator to disable the respective drivers of these devices.

Original product version:   Windows Server 2003
Original KB number:   555324

Symptoms

By default, Group Policy doesn't offer a facility to easily disable drives containing removable media, such as USB ports, CD-ROM drives, Floppy Disk drives, and high capacity LS-120 floppy drives. But Group Policy can be extended to use customized settings by applying an ADM template. The ADM template in this article allows an Administrator to disable the respective drivers of these devices, ensuring that they can't be used.

Resolution

Import this administrative template into Group Policy as an .adm file. See the link in the "More information" section if you're unsure how to do this.

CLASS MACHINE
CATEGORY !!category
 CATEGORY !!categoryname
 POLICY !!policynameusb
 KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
 EXPLAIN !!explaintextusb
 PART !!labeltextusb DROPDOWNLIST REQUIRED

VALUENAME "Start"
 ITEMLIST
 NAME !!Disabled VALUE NUMERIC 3 DEFAULT
 NAME !!Enabled VALUE NUMERIC 4
 END ITEMLIST
 END PART
 END POLICY
 POLICY !!policynamecd
 KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
 EXPLAIN !!explaintextcd
 PART !!labeltextcd DROPDOWNLIST REQUIRED

VALUENAME "Start"
 ITEMLIST
 NAME !!Disabled VALUE NUMERIC 1 DEFAULT
 NAME !!Enabled VALUE NUMERIC 4
 END ITEMLIST
 END PART
 END POLICY
 POLICY !!policynameflpy
 KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
 EXPLAIN !!explaintextflpy
 PART !!labeltextflpy DROPDOWNLIST REQUIRED

VALUENAME "Start"
 ITEMLIST
 NAME !!Disabled VALUE NUMERIC 3 DEFAULT
 NAME !!Enabled VALUE NUMERIC 4
 END ITEMLIST
 END PART
 END POLICY
 POLICY !!policynamels120
 KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
 EXPLAIN !!explaintextls120
 PART !!labeltextls120 DROPDOWNLIST REQUIRED

VALUENAME "Start"
 ITEMLIST
 NAME !!Disabled VALUE NUMERIC 3 DEFAULT
 NAME !!Enabled VALUE NUMERIC 4
 END ITEMLIST
 END PART
 END POLICY
 END CATEGORY
END CATEGORY

[strings]
category="Custom Policy Settings"
categoryname="Restrict Drives"
policynameusb="Disable USB"
policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy"
policynamels120="Disable High Capacity Floppy"
explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver"
explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver"
explaintextflpy="Disables the computers Floppy Drive by disabling the flpydisk.sys driver"
explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver"
labeltextusb="Disable USB Ports"
labeltextcd="Disable CD-ROM Drive"
labeltextflpy="Disable Floppy Drive"
labeltextls120="Disable High Capacity Floppy Drive"
Enabled="Enabled"
Disabled="Disabled"

More information

For more information about applying Administrative Template files, including instructions on how to use the above template, download the Microsoft White Paper 'Using Administrative Template Files with Registry-Based Group Policy' from here.

This template is considered a preference rather than a true policy and will tattoo the registry of client computers with its settings. If this template is moved out of scope of the Group Policy that applies it, the registry changes that it makes will remain. If you wish to reverse the settings made by this template, reverse the options to re-enable the drivers.

Preference settings are hidden by default in the Group Policy template editor. When applying this template, follow these instructions to change the view settings that allow preferences to be viewed.

Community Solutions Content Disclaimer

MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.